General Data Protection Regulation – The Digital Honeymoon is over

Posted on June 20, 2016


For many businesses life will meander on regardless as they wander in blissful ignorance of the changing regulatory digital landscape around them. If recent surveys such as the ‘Dell Survey‘ on the European Union’s new General Data Protection Regulation (GDPR) is anything to go by, an overwhelming majority of UK businesses need to wake up and become aware of what is going on, get motivated and be responsible.

The reality is that this is the great carrot and stick moment for UK and European Business (and any organisation doing business in Europe) to step up to the huge opportunity that exists. The opportunity for businesses to turn a corner in their attitudes to Cyber Security from a bolt-on to a mandatory operational layer that’s no longer defensive, but part of their core DNA.

The change has to be so fundamental because the GDPR is more than just about IT Security. It’s about an expectation imposed on all companies doing business in Europe to be able to act responsibly, appropriately preserving the integrity and privacy of individuals data. Privacy is a very different responsibility to security. Much may be classed secure but is not private. Often organisations operate their data boundaries to protect their own interests first and as an afterthought any unwarranted interference in the lives of the data subjects. The GDPR introduces a balance that allows data subjects greater protection on how their data can be orchestrated.

Today’s organizational environments of risk, compliance requirements and vulnerabilities that interweave through departments, functions, processes, technologies, roles, and relationships is a complexity that undermines the integrity of many Governance Risk and Compliance (GRC) initiatives. This silo business centric approach of the past has no place in the future where organizations are custodians of our data. What may seem an insignificant risk in one area can have profound impact on other areas and cause governance, risk and compliance (GRC) cascade effects and impact innocent third parties. In small medium enterprise (SME) organizations this may be easily addressed under one hat, but in even medium sized organizations the silo effect of resourcing and prioritization soon emerges and with it a complexity with its own inherent risk. As these activities themselves multiply risk they have the effect of pouring cement into the gearbox of any well-oiled corporate machine. Is it therefore any wonder that organizations try to get away with what they can?

Organisations that recognise that this is not a bolt on and address the systemic nature of the transformation, will have a future. Those that do not will fail in increasingly uncompetitive ways as the divergence of these two core classes of business practice grows.

Well, the digital honeymoon is over. For some it has been longer than others but where they all share common ground is in a complacency that they sit below any regulators or threat actor’s radar. After all the last thing any business wants to do is find budget for a new expense and incur the cost of changes to business practices they do not see value in. This is short-sighted and for shareholders should have alarm bells ringing. Time to move on the complacent and move in the aware. Start by appointing a Board level Chief Cyber Security Officer.

For too long Digital Regulation has been seen as the realm of the big guys and the rest of the world has trundled along with its digitisation evolution unmolested, adopting digital practices as each sees fit. The PCI (Payment Card Industry) regulations is case in point. Every business entity transacting any payment that requires Credit Card data to traverse or be held in any way on their systems MUST be certified and maintain that level of compliance for as long as they handle Credit Card data. But they don’t. It has established an attitude in many ecommerce businesses that regulation can be ignored. After all, the Payment card industry itself has rarely withdrawn Card facilities for a breach, the material self-interest perhaps compromising and blunting the teeth of the regulation.

GDPR is a completely different animal. In one word – VISIBILITY.  GDPR requires disclosure within 72 hours and the increased awareness of end users to breaches of their data.  If you know where to look tools already exist such as ‘have I been pwned’ that raise the stakes for business that try to duck their responsibilities. Organisation that are breached can bet that at some point their compromise will get into the public domain, become visible and the costs of being found non-compliant are now crippling at 4% of Global turnover or €20 million whichever is greater. A business that does not take the basic steps towards Cyber Hygiene and breach readiness is gambling with their shareholders money. The US Federal Emergency Management Agency ( research reveals that 40% of Businesses do not recover when hit by Cyber disaster and of those that do 25% will fail within 2 years. That is 65% of businesses failing within 2 years of a breach. You will get better odds playing Roulette.

A ‘compliance approach’ that aims to meet minimum standards should not be seen as a solution or some form of alternative. It does not adequately deal with intelligent and evolving adversaries, as threats are evolving faster than most standards and associated practices, not to forget that hackers know what standards you will have and the common holes. So you have already done half the ground work for the hackers by focusing their attention on where they know you have gaps. Cyber Security needs to become the new Business Operating model and core to an organizations DNA. There is a need to see cyber-crime and cyber security as the new normal, requiring continuous investment and monitoring at management and crucially, board level.

Consider that 127 items are added to the Internet every second, (calculations by Stringify CTO Dave Evans, former chief futurist at Cisco), which equates to approx. 328 million every month. The hyper-connected environments that businesses are now connected to is under constant threat and getting more complex. Is it any wonder that regulation is now being imposed that to survive business cannot ignore? If the breach doesn’t break you the fines will.

The TalkTalk data breach fine of £400,000 levied by the UK Information Commissioners Office (ICO) was referred to by a client as a shock followed by consternation when it was also considered that the same breach, if it occurred after the GDPR deadline of May 2018, would have incurred a fine of up to 4% of worldwide turnover. That could have cost Tal Talk £72 million based on their 2015 turnover.

I also had to remind the same client that the fine would have been at the top end due to their inability to have shown basic readiness or diligence. TalkTalk had continued to overlook the fact that the Data Protection Act 1998 requires every organisation or sole trader (data controller) who is electronically processing or storing personally identifiable information to register with the ICO, and that his organisation was NOT one of the exempt.

The ICO provides a very friendly self-assessment questionnaire, so go check yourself out if you are not convinced – Registration self-assessment.

The GDPR fine is just the eye watering headline, and belies the full cost implications that require organisations to:

·       Apply Privacy by design & by default are legal requirements

·       Hire a data protection officer (certain thresholds apply for smaller companies)

·       Adhere to mandatory Data breach notifications within 72 hours.

This is not exhaustive but illustrative only, please seek advice from a qualified source and do not rely exclusively on Internet sources either.

Whilst this is going to mean cost for all companies to some degree, these costs are reality catching up with them and should now be regarded as opportunities to also counter intuitively cut costs. New IT consumption models like Cloud computing not only enable greater security they also increase business agility and done properly will all help reduce costs and at the same time improve business efficiency and competitiveness by stripping out complexity. Considering that the average number of vendors is 75, according to CIO magazine, each technology brings its own risk surface, just doing the basics and reducing this number is probably a good starting point reducing the attack surface and costs.  For many it will mean changes to operational practices and data retention, sharing and accountability practices as well, and that is a good thing. When was the last time you qualified the Cyber Hygiene of your supply chain? What is critical to reduce the cost will be to get all the risk stakeholders/leads talking a common language and applying priorities to the Business Strategic objectives NOT their own silo priorities and re-envisaging how they do business. This should be treated as the logical Digitally transformative event that will protect the future of organisations. 

The Data Breach Notification is a good starting point requiring an organisation to demonstrate a proportionate degree of breach detection AND response discipline. As TalkTalk found out, their biggest failing was that their breach was as a result of a known issue that impacted data assets they did not even know they owned! Worst still, the breach was to a system that was breached not so long before, using the same compromise!! No surprise they met with very little sympathy from the regulator. The advice to organisations is to demonstrate reasonable efforts to limit any fines should a breach occur and a breach. A Breach Response Plan is the simplest measure underpinned with Cyber Breach Response Insurance. This is a very cost effective way to offset this risk onto a 3rd party.

I predict in less than 5 years this type of insurance will be as familiar as property fire insurance. In this case, it’s your digital property and duty of care to customers who entrust you with their data.  It’s an anathema that when it comes to Cyber risks business don’t leverage Insurance, instead preferring to pay magnitudes more on vendor shiny boxes that can often add to the problem and provide NO guarantee’s. A business that does the Cyber Security Hygiene basics will eliminate 80 – 90% of the risks and can demonstrate compliance to offset the balance on Insurance. It’s the old KISS formula – Keep it simple silly.

With most hackers or external threats, you only need to run faster than the guy next to you when being chased by the bear 😉